search

389ds / 389-ds-base

The enterprise-class Open Source LDAP server for Linux
https://www.port389.org/
Other
210 stars 90 forks source link

moddn ACI filtering on object being moved #5223

Open payu-mpas opened 2 years ago

payu-mpas commented 2 years ago

I would like to create moddn ACI which allows to move only a subset of objects from source tree based on attributes of objects being moved.

The ACI in question should allow IPA it_support user group to delete-preserve all users except those belonging to admins user group:

dn: dc=my,dc=org changetype: modify add: aci aci: (targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=my,dc=org))")(target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=my,dc=org")(target_from = "ldap:///cn=users,cn=accounts,dc=my,dc=org")(version 3.0;acl "IT Support - preserve subset of users";allow (moddn) groupdn = "ldap:///cn=it_support,cn=groups,cn=accounts,dc=my,dc=org";)

doesn't work at all because targetfilter is executed against cn=deleted users,cn=accounts,cn=provisioning,dc=my,dc=org and not the user object which is modified.

Is there something I can use to reference the object which is moved or the 389ds does not have such functionality ?

Used version (CentOS 7): 389-ds-base-1.3.10.2-14.el7_9.x86_64

Firstyear commented 2 years ago

On 22 Mar 2022, at 21:50, Michal Pasierb @.***> wrote:

I would like to create moddn ACI which allows to move only a subset of objects from source tree based on attributes of objects being moved.

The ACI in question should allow IPA it_support user group to delete-preserve all users except those belonging to admins user group:

dn: dc=my,dc=org changetype: modify add: aci aci: (targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=my,dc=org))")(target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=my,dc=org")(target_from = "ldap:///cn=users,cn=accounts,dc=my,dc=org")(version 3.0;acl "IT Support - preserve subset of users";allow (moddn) groupdn = "ldap:///cn=it_support,cn=groups,cn=accounts,dc=my,dc=org";)

doesn't work at all because targetfilter is executed against cn=deleted users,cn=accounts,cn=provisioning,dc=my,dc=org and not the user object which is modified.

I think the issue is in the target_from line. This is allowing that group to move cn=users itself to deleted users I think.

Could you try:

aci: (targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=my,dc=org))")(target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=my,dc=org")(target_from = "ldap:///uid=*,cn=users,cn=accounts,dc=my,dc=org")(version 3.0;acl "IT Support - preserve subset of users";allow (moddn) groupdn = "ldap:///cn=it_support,cn=groups,cn=accounts,dc=my,dc=org";)

Note the addition of the uid=* in target_from.

Is there something I can use to reference the object which is moved or the 389ds does not have such functionality ?

Used version (CentOS 7): 389-ds-base-1.3.10.2-14.el7_9.x86_64

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.

-- Sincerely,

William Brown

Senior Software Engineer, Identity and Access Management SUSE Labs, Australia

payu-mpas commented 2 years ago

I tested with:

aci: (targetfilter = "(memberOf=cn=admins,cn=groups,cn=accounts,dc=my,dc=org)")(target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=my,dc=org")(target_from = "ldap:///uid=*,cn=users,cn=accounts,dc=my,dc=org")(version 3.0;acl "IT Support - preserve subset of users";allow (moddn) groupdn = "ldap:///cn=it_support,cn=groups,cn=accounts,dc=my,dc=org";)

so only users from admins users should be allowed to be deleted but it doesn't work:

acl__ressource_match_aci - entry cn=deleted users,cn=accounts,cn=provisioning,dc=my,dc=org does not match (memberOf=cn=admins,cn=groups,cn=accounts,dc=my,dc=org)

I think targetfilter is always matching against target_to instead of target_from. I think this is not a bug and seems logical but I would like to match against target_from. Possible ?

Firstyear commented 2 years ago

On 24 Mar 2022, at 01:19, Michal Pasierb @.***> wrote:

I tested with:

aci: (targetfilter = "(memberOf=cn=admins,cn=groups,cn=accounts,dc=my,dc=org)")(target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=my,dc=org")(target_from = "ldap:///uid=*,cn=users,cn=accounts,dc=my,dc=org")(version 3.0;acl "IT Support - preserve subset of users";allow (moddn) groupdn = "ldap:///cn=it_support,cn=groups,cn=accounts,dc=my,dc=org";)

so only users from admins users should be allowed to be deleted but it doesn't work:

acl__ressource_match_aci - entry cn=deleted users,cn=accounts,cn=provisioning,dc=my,dc=org does not match (memberOf=cn=admins,cn=groups,cn=accounts,dc=my,dc=org)

I think targetfilter is always matching against target_to instead of target_from. I think this is not a bug and seems logical but I would like to match against target_from. Possible ?

I'm not sure that checks out, in my mind targetfilter is applied to the "target of the operation" which should be the from entry rather than the to entry. But I think if this is the behaviour, we would need to be careful to change it .....

Does anyone else have any ideas? Thierry?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.

-- Sincerely,

William Brown

Senior Software Engineer, Identity and Access Management SUSE Labs, Australia

tbordaz commented 2 years ago

@payu-mpas, what specific MODDN are you a trying to do ?

target_from and target_to are basically subtree. Here the ACI grant 'moddn' right to it_support to move entries from cn=users to cn=deleted_users, at the condition that the entry is memberof cn=admins.

Looking at 

 acl__ressource_match_aci - entry cn=deleted users,cn=accounts,cn=provisioning,dc=my,dc=org does not match (memberOf=cn=admins,cn=groups,cn=accounts,dc=my,dc=org)

It is looking to me that destination entry (of the MODDN) is cn=deleted_users. Is that correct ? Is it belonging to cn=admins ?